Backend: Add DISMISSED status and feature flag for status-based FP gating

Illya Klymovrequested to merge
591057-confidential-issue into master

What does this MR do and why?

Backend changes for Show FP badge for AI-detected flags regardless of confidence score, introducing the vulnerability_flag_status_based_gating feature flag and all backend support for status-based gating.

Frontend changes are in the follow-up MR: !230075

Key changes

Model:

  • Add dismissed: 5 enum value to Vulnerabilities::Flag for manual dismissals
  • Add DISMISSABLE_STATUSES constant (detected_as_fp, detected_as_not_fp)

Service:

  • Update DismissFalsePositiveService to create flags with status: :dismissed (behind FF)
  • Use status-based can_dismiss_flag? check (behind FF), falling back to confidence-score check

Helper:

  • Serialize flag status (UPPER_SNAKE_CASE) and origin in vulnerabilities_helper.rb (behind FF)
  • Add nil-safety guard for status&.upcase

Feature flag:

  • Add vulnerability_flag_status_based_gating WIP feature flag
  • Push feature flag in vulnerability controllers (project, group, vulnerability report)
  • Rollout issue: #595697

GraphQL:

  • Add DISMISSED value to VulnerabilityFalsePositiveDetectionStatus enum
  • Regenerate introspection schema

How to set up and validate locally

  1. Enable the feature flag:

    Feature.enable(:vulnerability_flag_status_based_gating)

  2. Create test data:

    project = Project.find_by_full_path('YOUR_PROJECT_PATH')
finding = project.vulnerabilities.first.finding

finding.vulnerability_flags.create!(
  flag_type: :false_positive,
  origin: 'ai_sast_fp_detection',
  confidence_score: 0.0,
  status: :detected_as_not_fp,
  description: 'AI detected as not FP',
  project_id: project.id
)

  3. Verify in Rails console:

    helper = Class.new { include VulnerabilitiesHelper }.new
allow(helper).to receive(:current_user).and_return(User.first)
data = helper.vulnerability_finding_data(project.vulnerabilities.first)
data[:latest_flag][:status] # => "DETECTED_AS_NOT_FP"
data[:latest_flag][:origin] # => "ai_sast_fp_detection"

MR acceptance checklist

  • This MR does not add a migration
  • Backend changes have spec coverage
  • Changes are behind a feature flag
Edited by Illya Klymov

Merge request reports